Carbon Black Cloud:Why is there an alert for IOC reports process powershell.exe was detected by the report "Powershell Setting Registry Run" but no actual regmod event reported?
search cancel

Carbon Black Cloud:Why is there an alert for IOC reports process powershell.exe was detected by the report "Powershell Setting Registry Run" but no actual regmod event reported?

book

Article ID: 285905

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why is there an  Alert IOC reports Process powershell.exe was detected by the report "Powershell Setting Registry Run" but no actual regmod event?

Environment

  • Carbon Black Cloud Backend: All versions
  • Carbon Black Cloud Sensors: All versions

Resolution

In the Alerts's fly-out details panel is the description of the IOC report being invoked:

Name
    Powershell Setting Registry Run Key | Persistence | T1547
Description
    Detects a registry "Run" key mentioned in a fileless scriptload, which could be indicative of an attempt to create persistence. Check the value of the key to determine which program will run upon system startup.
IOC hit
    (fileless_scriptload_cmdline:New-ItemProperty AND (fileless_scriptload_cmdline:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run OR fileless_scriptload_cmdline:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce) NOT fileless_scriptload_cmdline:autodesk)
What this means the IOC in the report doesn't look for a regmod but rather looks for the "runonce" key in the fileless_scriptload_cmdline.

Additional Information

https://docs.vmware.com/en/VMware-Carbon-Black-Cloud/services/carbon-black-cloud-user-guide/GUID-A0DD1C57-4EC1-4DCF-85D4-0A299582580C.html
Powered by Wolken Software